Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
645
Views
0
Helpful
4
Replies

Cisco 819 Celluar ip is different from whatismyip.com

owen2
Level 1
Level 1

‎12-15-2020 12:38 AM

HI ALL,

 

implement cisco 819 4G router on remote office and VPN back to HQ
After all Nat and access-list si done, the remote side is able to access the internet.

When implementing IPsec VPN, the IP shown on cellular  Interface  (10.234.79.18) is different on whatismyip.com ( 183.90.37.234)

try to set both IP as a peer.
none works form the case.

Does this mean i not able to setup Ipsec VPN?

 

config as below:

boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
no aaa new-model
!
!
!
!
!
!


!
!
!
!
ip domain name Winston.local
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
chat-script gsm "" "ATDT*98*2#" TIMEOUT 60 "CONNECT"
!
!
!
!
!
!
liid C819HG-4G-G-K9 sn FGL193423MB
!
!
!
!
!
!
!
controller Cellular 0
!
ip ssh time-out 90
ip ssh authentication-retries 2
!
!
crypto isakmp policy 1
es 256
authentication pre-share
group 14
crypto isakmp key Pass12 address X.X.X.X
!
!
crypto ipsec transform-set VPN esp-3des esp-sha512-hmac
mode tunnel
!
!
!
crypto map VPN 1 ipt

set peer X.X.X.X
set transform-set VPN
match address VPN-FG
!
!
!
!
!
!
interface Cellular0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-and
dialer string lte
dialer watch-group 1
async mode interactive
crypto map VPN
routing dynamic
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0
no ip address
shutdown
ce 2000000
!
interface Vlan1
ip address 10.20.1.254 255.255.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 100 interface Cellular0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0
!
ip access-lisnded VPN-FG
permit ip 10.20.0.0 0.0.255.255 10.10.0.0 0.0.255.255
!
dialer watch-list 1 ip 5.6.7.8 0.0.0.0
dialer watch-list 1 delay connect 1
dialer-list 1 protocol ip permit
!
access-list 100 permit ip 10.20.0.0 0.0.255.255 any
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
exec-timeouodem enable
stopbits 1
line aux 0
stopbits 1
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line 3
script dialer lte
no exec
rxspeed 100000000
txspeed 50000000
line vty 0 4
login
transport input all
!
no scheduler max-task-time
scheduler allocate 20000 1000
ntp update-calendar
!
end

 

Labels:
0 Helpful
4 Replies 4

Georg Pauwen
VIP
VIP

‎12-15-2020 04:51 AM

Hello,

 

on the HQ side, you need to configure a dynamic map, in order to deal with the dynamic/changing IP address on the 819. It is actually very common to do that, and fairly simple. Post the configuration of the HQ router so we can fill in the bits and pieces...

 

 

0 Helpful

paul driver
VIP
VIP
In response to Georg Pauwen

‎12-15-2020 06:44 AM

Hello @Georg Pauwen 

Not sure i understand your statement regards a dynamic map - Can you elaborate

This OP seems to indicate ipsec with nat is the problem and if it is it would be most probably due to the tunnel source header of the packet being change with the post natted tunnel source header - which is usually down to ipsec and nat not being compatible- So to over come this NAT -Traversal is used which basically encapsulates the ipsec in it own non encrypted header to allow communication.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Georg Pauwen
VIP
VIP
In response to paul driver

‎12-15-2020 06:51 AM

Hello Paul,

 

as I understand it, NAT is working, but the IPSec VPN is not, due to the cellular interface having a dynamic IP address...

 

--> implement cisco 819 4G router on remote office and VPN back to HQ
--> After all Nat and access-list si done, the remote side is able to access the internet.

--> try to set both IP as a peer.
--> none works form the case.

 

Either way, better ask OP...

0 Helpful

paul driver
VIP
VIP

‎12-15-2020 06:20 AM

Hello

just to confirm 

GRE VPN - NAT works

IPSEC/GRE VPN no NAT doesn’t work


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card